Back in the halcyon days of the internet, security practitioners argued that identity was the “new perimeter,” suggesting that organizations could future-proof their security by implementing robust authentication and authorization mechanisms. With digital transformation, that future is now. Organizations increasingly adopt more “X-as-a-Service,” cloud-delivered technologies that reduce operational costs and improve workforce member collaboration. Simultaneously, malicious actors target user credentials and web login portals to gain unauthorized access to corporate assets.
As organizations work to secure their cloud infrastructures, multi-factor authentication (MFA) acts as a security mechanism that helps mitigate data breach risks.
What is Multi-Factor Authentication (MFA), and how does it work?
Multi-factor authentication (MFA) requires users to answer additional questions that help prove they are who they say they are when requesting access to cloud resources. Typically, MFA includes two or more of the following:
- Something you know: a password or passphrase
- Something you have: a token or smartphone with an authentication application on it like Microsoft Authenticator, Google Authenticator, or Duo
- Something you are: a biometric like fingerprint or a face ID
The MFA process typically uses the following steps:
- Registration: The user provides primary credentials when setting up a new account, like creating a username or inputting an email combined with a password.
- Account confirmation: The service messages the provided email address requesting that the user click a link to prove they initiated the account creation process.
- Linking additional information: The service ties the user’s credentials to either a cell phone number, biometric, or application, like an authenticator.
- Challenge request: Once the service verifies the password, it prompts the user to answer a “challenge question,” like opening up the authentication application or using a one-time code delivered via email or SMS.
- Access granted: When the user supplies the correct answer, they gain access to the service.
What is the purpose of MFA?
MFA acts as additional security at the identity and access layer seeking to mitigate risks arising from:
- Phishing attacks: using social engineering tactics to trick users into sharing passwords that can be used as part of other credential-based attacks
- Brute force attacks: trying various weak passwords against a single user login ID to see if it provides access
- Password spray: trying a known risky password against multiple user login IDs to see if it provides access
- Credential stuffing: using a list of known login ID and passwords linked to one application and trying them against other applications to see if they provide access
- Leaked credentials: using credentials stolen during data breaches or purchased from dark web forums
- API credential stuffing attack: targeting an organization’s APIs, typically a login API, by configuring adjust times, number of requests sent, and time between retries to evade detection and gain unauthorized access
- Distributed Denial of Service (DDoS): high volumes of requests targeting an application’s login can lead to a DDoS at the application or network level.
As with every security measure, malicious actors have sought to undermine it. Over the last few years, they began deploying MFA fatigue attacks, also called MFA bombing attacks. These attacks use automation to flood users with login notifications, making them feel so overwhelmed that they answer the request so the malicious actors can gain access.
How do MFA and single sign-on (SSO) differ?
Software-as-a-service (SaaS) identity providers (IdP), like Azure IdP, Okta, or Duo, are the glue between cloud providers and identity stores like Active Directory or LDAP. IdPs manage and verify users’ credentials, authenticating identities and authorizing access to services
While an IdP may provide MFA in conjunction with SSO, organizations may implement either identity and access management (IAM) mechanisms separately, so understanding their differences is important:
- MFA: Requiring users to provide multiple pieces of evidence to prove that they initiated the login request, reducing unauthorized access risks.
- SSO: Using a single set of login credentials to access multiple applications or systems, reducing the number of usernames and passwords to make it easier to simplify processes.
Using MFA and SSO together might look like this:
- A user logs into a Microsoft account to gain access to their device and Sharepoint.
- The user inputs the provided code into the Microsoft Authenticator application.
- The user can log into other services, like Salesforce or Hubspot.
4 considerations when implementing MFA for cloud services.
While MFA is a critical security control, many organizations struggle to implement it within their cloud environment. Before implementing MFA, organizations need a foundation of identity and access that identifies all:
- Users
- Groups
- Roles
When implementing MFA, organizations need to consider various aspects of their existing systems and whether they work with current databases, applications, and network solutions.
1. Know all access points.
As MFA works at the access layer, the first step for most organizations is identifying all potential access points. When engaging in this process, organizations need to know all workforce members and applications that access resources, meaning they should identify:
- Contractors: users outside the organization’s control who may be accessing resources directly or through portals
- APIs: access points that enable communications between applications and back-end services, like databases
- VPN: remote access for employees and contractors
- Cloud providers: administrative accounts on the cloud provider to provision or change services and their configurations
- SaaS services and websites: web services that employees access as normal users with their organizational login accounts
2. Determine vendor integration capabilities.
As malicious actors increasingly target both IT and cybersecurity Software-as-a-Service (SaaS) solutions, organizations need to incorporate MFA across their entire cloud environment. When choosing a business-to-business (B2B) SaaS application, organizations should ensure that the technology offers a “bring-your-own” identity provider (IdP) or SSO capability and whether it only provides it as an add-on service for an additional charge.
As part of the vendor procurement process, organizations should consider whether a technology:
- Integrates with the current identity provider used to store and manage user identities, like usernames, passwords, and access permissions, like Active Directory (AD)
- Integrates with the current SSO technology to mitigate risks that the users will have to create additional passwords, ultimately reducing risk arising from password re-use or weak passwords
3. Incorporate adaptive MFA for risky Access and users.
Adaptive MFA applies context from business rules and user information to help identify risky user access requiring additional controls. Some examples of use cases may include:
- Privileged users: people with higher than standard access, like domain admins or local admins
- Privileged identities: non-human or machines with higher than standard access, including service accounts or APIs transmitting sensitive data
4. Add supporting technologies.
While MFA enhances security, organizations need solutions that enable a holistic approach to security monitoring and incident detection. For a defense-in-depth approach to cloud security, organizations may want to consider technologies that support their objectives, like:
- Web application firewall (WAF): filters, monitors, and blocks traffic to mitigate risks against identity providers, websites, or APIs arising from known vulnerabilities, like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF)
- API security: discovers APIs, remediates errors, detects and prevents API attacks, including mitigating account takeover risks through an identity provider or API and authenticating API requests
- Bot Management: detects and mitigates risks by identifying legitimate and malicious bots based on their behavior, like detecting brute force attacks against APIs or account takeovers
- DDoS Mitigation Tools: protects logins for identity providers so that users can still log into all of the services that depend on the IdP
Vercara: cloud-based security to support MFA.
Vercara’s cloud-based security services and technologies provide built-in support for their MFA and SSO implementation at no additional cost and the services that rely on them, improving their cloud security posture. Our security solutions combine a resilient, cloud-based platform with exceptional customer service to help companies mitigate risks arising from malicious activities like credential stuffing, ransomware, phishing, DDoS, and supply chain attacks. With our API security solutions, organizations can create a comprehensive cloud security program to protect their sensitive data and their customers.
